real-browser-cli 0.14.2__py3-none-any.whl

browser_cli/sdk/session.py

@@ -0,0 +1,72 @@
+"""Session namespace: ``b.session.*``."""
+from __future__ import annotations
+
+from browser_cli.sdk.base import Namespace, sdk_command
+
+def _load_args(name, gentle_mode, discard_background_tabs, lazy, eager_tabs) -> dict:
+  return {
+    "name": name,
+    "gentleMode": gentle_mode,
+    "discardBackgroundTabs": discard_background_tabs,
+    "lazy": lazy,
+    "eagerTabs": eager_tabs,
+  }
+
+class SessionNS(Namespace):
+  """Save, restore, list, and diff browser sessions."""
+
+  @sdk_command("session.save", lambda self, name: {"name": name}, default={})
+  def save(self, name: str) -> dict:
+    """Save all current tabs as session *name*. Returns the save result (incl. tab count)."""
+
+  def load(
+    self,
+    name: str,
+    *,
+    gentle_mode: str = "auto",
+    discard_background_tabs: bool = False,
+    lazy: bool = False,
+    eager_tabs: int = 10,
+  ) -> dict:
+    """Restore session *name*. Returns the load result (incl. tabs opened)."""
+    return self.command("session.load", _load_args(name, gentle_mode, discard_background_tabs, lazy, eager_tabs)) or {}
+
+  def load_background(
+    self,
+    name: str,
+    *,
+    gentle_mode: str = "auto",
+    discard_background_tabs: bool = False,
+    lazy: bool = False,
+    eager_tabs: int = 10,
+  ) -> dict:
+    """Restore session *name* as a background job. Returns the job descriptor."""
+    args = _load_args(name, gentle_mode, discard_background_tabs, lazy, eager_tabs)
+    return self.command("session.load", {**args, "__background": True}) or {}
+
+  @sdk_command("session.diff", lambda self, name_a, name_b: {"nameA": name_a, "nameB": name_b}, default={})
+  def diff(self, name_a: str, name_b: str) -> dict:
+    """Diff two saved sessions."""
+
+  @sdk_command("session.export", lambda self, name=None: {"name": name}, default={})
+  def export(self, name: str | None = None) -> dict:
+    """Export one saved session, or all sessions when *name* is omitted."""
+
+  @sdk_command("session.import", lambda self, name, session, overwrite=False: {"name": name, "session": session, "overwrite": overwrite}, default={})
+  def import_(self, name: str, session: dict, *, overwrite: bool = False) -> dict:
+    """Import a saved session payload under *name*."""
+
+  def list(self) -> list[dict]:
+    """Return saved sessions.
+
+    In implicit multi-browser mode each session dict includes a ``browser`` key.
+    """
+    return self.multi_list("session.list", {}, self.tag_browser)
+
+  @sdk_command("session.remove", lambda self, name: {"name": name}, return_result=False)
+  def remove(self, name: str) -> None:
+    """Remove a saved session."""
+
+  @sdk_command("session.auto_save", lambda self, enabled: {"enabled": enabled}, return_result=False)
+  def auto_save(self, enabled: bool) -> None:
+    """Enable or disable automatic session saves."""

browser_cli/sdk/tabs.py

@@ -0,0 +1,213 @@
+"""Tabs namespace: ``b.tabs.*``."""
+from __future__ import annotations
+
+from collections.abc import Callable, Iterable
+
+from browser_cli.models import BrowserCounts, Tab
+from browser_cli.sdk.base import Namespace
+
+class TabsNS(Namespace):
+  """List, open, close, move, and inspect browser tabs."""
+
+  def list(self) -> list[Tab]:
+    """Return all open tabs across all windows.
+
+    When multiple browsers are active and no browser was specified, each Tab
+    includes ``tab.browser`` naming its source browser.
+    """
+    return self.multi_list("tabs.list", {}, self.tab_from_target)
+
+  def open(
+    self,
+    url: str,
+    *,
+    wait: bool = False,
+    timeout: float = 30.0,
+    background: bool = False,
+    focus: bool = False,
+    window: str | None = None,
+    group: str | None = None,
+  ) -> Tab:
+    """Open *url* in a new tab and return a bound :class:`Tab`.
+
+    Set ``wait=True`` to block until the page reaches ``readyState=complete``.
+    Pass ``focus=True`` to explicitly bring the created tab/window forward.
+    """
+    if wait:
+      return self._c.nav.open_wait(url, timeout=timeout, background=background, focus=focus, window=window, group=group)
+    return self.require_tab(
+      self.command("navigate.open", {"url": url, "background": background or not focus, "focus": focus, "window": window, "group": group}),
+      "navigate.open returned unexpected data",
+    )
+
+  def get(self, tab_id: int) -> Tab:
+    """Return a specific tab by ID."""
+    return self.status(tab_id)
+
+  def active(self) -> Tab:
+    """Return the active tab."""
+    return self.status()
+
+  def query(self, search: str) -> list[Tab]:
+    """Search tabs by URL or title."""
+    return [self.tab_from(t) for t in (self.command("tabs.query", {"search": search}) or [])]
+
+  def first(self, search: str) -> Tab | None:
+    """Return the first tab matching *search*, or ``None``."""
+    matches = self.query(search)
+    return matches[0] if matches else None
+
+  def close(
+    self,
+    tab_id: int | None = None,
+    *,
+    tab_ids: Iterable[int | Tab] | None = None,
+    inactive: bool = False,
+    duplicates: bool = False,
+    gentle_mode: str = "auto",
+  ) -> int:
+    """Close tab(s). Returns the number of tabs closed.
+
+    Pass ``tab_ids`` to close many tabs in a single round-trip. Accepts tab
+    IDs or :class:`Tab` objects. ``gentle_mode`` (auto/normal/gentle/ultra)
+    controls throttling of large close operations.
+    """
+    ids = None
+    if tab_ids is not None:
+      ids = [t.id if isinstance(t, Tab) else t for t in tab_ids]
+    result = self.command("tabs.close", {
+      "tabId": tab_id,
+      "tabIds": ids,
+      "inactive": inactive,
+      "duplicates": duplicates,
+      "gentleMode": gentle_mode,
+    })
+    return self.field(result, "closed", 1)
+
+  def close_inactive(self) -> int:
+    """Close all inactive tabs. Returns count closed."""
+    return self.field(self.command("tabs.close", {"inactive": True}), "closed", 0)
+
+  def close_duplicates(self) -> int:
+    """Close duplicate tabs. Returns count closed."""
+    return self.field(self.command("tabs.close", {"duplicates": True}), "closed", 0)
+
+  def move(
+    self, tab_id: int, *,
+    forward: bool = False, backward: bool = False,
+    group_id: int | None = None, window_id: int | None = None, index: int | None = None,
+  ) -> None:
+    self.command("tabs.move", {
+      "tabId": tab_id, "forward": forward, "backward": backward,
+      "groupId": group_id, "windowId": window_id, "index": index,
+    })
+
+  def activate(self, tab_id: int) -> None:
+    """Switch browser focus to a tab by ID."""
+    self.command("tabs.active", {"tabId": tab_id})
+
+  def status(self, tab_id: int | None = None) -> Tab:
+    """Return status for the active tab or a specific tab."""
+    return self.require_tab(self.command("tabs.status", {"tabId": tab_id}), "No tab status returned")
+
+  def mute(self, tab_id: int | None = None) -> int:
+    """Mute the active tab or a specific tab. Returns the target tab ID."""
+    return self.toggle_tab("tabs.mute", tab_id)
+
+  def unmute(self, tab_id: int | None = None) -> int:
+    """Unmute the active tab or a specific tab. Returns the target tab ID."""
+    return self.toggle_tab("tabs.unmute", tab_id)
+
+  def pin(self, tab_id: int | None = None) -> int:
+    """Pin the active tab or a specific tab. Returns the target tab ID."""
+    return self.toggle_tab("tabs.pin", tab_id)
+
+  def unpin(self, tab_id: int | None = None) -> int:
+    """Unpin the active tab or a specific tab. Returns the target tab ID."""
+    return self.toggle_tab("tabs.unpin", tab_id)
+
+  def watch_url(self, pattern: str, *, tab_id: int | None = None, timeout: float = 30.0) -> Tab:
+    """Block until the tab URL matches regex pattern. Returns the Tab."""
+    return self.require_tab(
+      self.command("tabs.watch_url", {"pattern": pattern, "tabId": tab_id, "timeout": int(timeout * 1000)}),
+      "tabs.watch_url returned unexpected data",
+    )
+
+  def wait_for_load(
+    self,
+    tab_id: int | None = None,
+    *,
+    timeout: float = 30.0,
+    ready_state: str = "complete",
+  ) -> Tab:
+    """Block until the tab finishes loading. Returns the Tab when ready.
+
+    Args:
+      tab_id: Tab to watch. Defaults to the active tab.
+      timeout: Max seconds to wait before raising ``RuntimeError``.
+      ready_state: ``"complete"`` (default) or ``"interactive"``.
+    """
+    return self.require_tab(
+      self.command("navigate.wait", {
+        "tabId": tab_id,
+        "timeout": int(timeout * 1000),
+        "readyState": ready_state,
+      }),
+      "navigate.wait returned unexpected data",
+    )
+
+  def screenshot(
+    self,
+    tab_id: int | None = None,
+    *,
+    format: str = "png",
+    quality: int | None = None,
+  ) -> str:
+    """Capture the visible area of a tab. Returns a base64 data URL.
+
+    Args:
+      tab_id: Tab to capture. Defaults to the active tab.
+      format: ``"png"`` (default) or ``"jpeg"``.
+      quality: JPEG quality 0-100 (ignored for PNG).
+    """
+    result = self.command("tabs.screenshot", {"tabId": tab_id, "format": format, "quality": quality})
+    return self.field(result, "dataUrl", "", fallback=str(result))
+
+  def active_in_window(self, window_id: int) -> Tab:
+    """Return active tab for a specific browser window."""
+    return self.require_tab(
+      self.command("tabs.active_in_window", {"windowId": window_id}),
+      f"No active tab found for window {window_id}",
+    )
+
+  def filter(
+    self,
+    pattern_or_filter: str | Callable[[Tab], bool] | Callable[[list[Tab]], Iterable[Tab]],
+  ) -> list[Tab]:
+    """Return tabs filtered by URL pattern or a Python callable."""
+    if isinstance(pattern_or_filter, str):
+      return [self.tab_from(t) for t in (self.command("tabs.filter", {"pattern": pattern_or_filter}) or [])]
+    return self.apply_tab_filter(pattern_or_filter)
+
+  def count(self, pattern: str | None = None) -> "int | BrowserCounts":
+    """Count open tabs, optionally filtered by URL pattern.
+
+    Returns ``BrowserCounts`` in implicit multi-browser mode.
+    """
+    return self.multi_count("tabs.count", {"pattern": pattern})
+
+  def html(self, tab_id: int | None = None) -> str:
+    """Return the full HTML source of the active (or specified) tab."""
+    return self.command("tabs.html", {"tabId": tab_id}) or ""
+
+  def dedupe(self, *, gentle_mode: str = "auto") -> int:
+    """Close duplicate tabs (keep the first occurrence of each URL). Returns count closed."""
+    return self.field(self.command("tabs.dedupe", {"gentleMode": gentle_mode}), "closed", 0)
+
+  def sort(self, by: str = "domain", *, gentle_mode: str = "auto") -> None:
+    """Sort tabs within each window. *by* is one of 'domain', 'title', 'time'."""
+    self.command("tabs.sort", {"by": by, "gentleMode": gentle_mode})
+
+  def merge_windows(self, *, gentle_mode: str = "auto") -> int:
+    """Move all tabs into the focused window. Returns count moved."""
+    return self.field(self.command("tabs.merge_windows", {"gentleMode": gentle_mode}), "moved", 0)

browser_cli/sdk/windows.py

@@ -0,0 +1,26 @@
+"""Windows namespace: ``b.windows.*``."""
+from __future__ import annotations
+
+from browser_cli.sdk.base import Namespace, sdk_command
+
+class WindowsNS(Namespace):
+  """List, open, close, and rename browser windows."""
+
+  def list(self) -> list[dict]:
+    """Return browser windows.
+
+    In implicit multi-browser mode each window dict includes a ``browser`` key.
+    """
+    return self.multi_list("windows.list", {}, self.tag_browser)
+
+  @sdk_command("windows.open", lambda self, url=None: {"url": url}, default={})
+  def open(self, url: str | None = None) -> dict:
+    """Open a new browser window, optionally on a URL."""
+
+  @sdk_command("windows.close", lambda self, window_id: {"windowId": window_id}, return_result=False)
+  def close(self, window_id: int) -> None:
+    """Close a browser window by ID."""
+
+  @sdk_command("windows.rename", lambda self, window_id, name: {"windowId": window_id, "name": name}, return_result=False)
+  def rename(self, window_id: int, name: str) -> None:
+    """Rename a browser window."""

browser_cli/sdk/workflow_decorators.py

@@ -0,0 +1,200 @@
+"""Shared workflow decorator implementation for sync and async SDK clients."""
+from __future__ import annotations
+
+import functools
+import time
+from collections.abc import Callable
+from typing import TypeVar
+
+F = TypeVar("F", bound=Callable)
+_NO_INJECT = object()
+
+class WorkflowDecoratorsMixin:
+  """Shared implementation for sync and async workflow decorators.
+
+  Subclasses only define *how* browser calls, user functions, and sleeps are
+  executed. The actual decorators live once here, so sync and async SDKs stay
+  in lockstep.
+  """
+
+  _c: object
+
+  @staticmethod
+  def _inject(kwargs: dict, keyword: str | None, value):
+    if keyword is not None:
+      kwargs[keyword] = value
+      return (), kwargs
+    return (value,), kwargs
+
+  def _run(self, func: Callable, *args, **kwargs):
+    return func(*args, **kwargs)
+
+  def _call_wrapped(self, func: Callable, *args, **kwargs):
+    return func(*args, **kwargs)
+
+  def _sleep(self, delay: float) -> None:
+    time.sleep(delay)
+
+  def _value_decorator(
+    self,
+    func: F | None,
+    get_value: Callable,
+    *,
+    keyword: str | None | object = "tab",
+    cleanup: Callable | None = None,
+  ):
+    """Build a decorator around a browser-side value lookup.
+
+    ``get_value`` always runs before the wrapped function. If ``keyword`` is
+    ``_NO_INJECT`` the value is only used by ``cleanup`` and is not passed to
+    the wrapped function. ``keyword=None`` injects it positionally.
+    """
+
+    def decorator(fn: F) -> F:
+      @functools.wraps(fn)
+      def wrapper(*args, **kwargs):
+        value = self._run(get_value)
+        try:
+          extra_args = ()
+          if keyword is not _NO_INJECT:
+            extra_args, kwargs = self._inject(kwargs, keyword, value)
+          return self._call_wrapped(fn, *extra_args, *args, **kwargs)
+        finally:
+          if cleanup is not None:
+            self._run(cleanup, value)
+      return wrapper  # type: ignore[return-value]
+
+    return decorator(func) if func is not None else decorator
+
+  def active_tab(self, func: F | None = None, *, keyword: str | None = "tab"):
+    """Decorate a function so it receives the current active tab.
+
+    By default the tab is injected as ``tab=...``. Pass ``keyword=None`` to
+    pass it as the first positional argument instead.
+    """
+    return self._value_decorator(func, self._c.tabs.active, keyword=keyword)  # type: ignore[attr-defined]
+
+  def new_tab(
+    self,
+    url: str,
+    *,
+    wait: bool = False,
+    timeout: float = 30.0,
+    background: bool = False,
+    focus: bool = False,
+    window: str | None = None,
+    group: str | None = None,
+    close: bool = False,
+    keyword: str | None = "tab",
+  ):
+    """Open *url* for the wrapped function and inject the created tab.
+
+    Set ``close=True`` to close the tab in a ``finally`` block after the
+    wrapped function returns or raises.
+    """
+    def open_tab():
+      return self._c.tabs.open(  # type: ignore[attr-defined]
+        url,
+        wait=wait,
+        timeout=timeout,
+        background=background,
+        focus=focus,
+        window=window,
+        group=group,
+      )
+
+    def close_tab(tab):
+      tab.close()
+
+    return self._value_decorator(None, open_tab, keyword=keyword, cleanup=close_tab if close else None)
+
+  def wait_for_selector(
+    self,
+    selector: str,
+    *,
+    timeout: float = 10.0,
+    visible: bool = False,
+    hidden: bool = False,
+    tab_id: int | None = None,
+    keyword: str | None = None,
+  ):
+    """Wait for a selector before calling the wrapped function.
+
+    Pass ``keyword="result"`` (or similar) to inject the wait result into
+    the wrapped function. By default the result is not injected.
+    """
+    def wait():
+      return self._c.dom.wait_for(  # type: ignore[attr-defined]
+        selector,
+        timeout=timeout,
+        visible=visible,
+        hidden=hidden,
+        tab_id=tab_id,
+      )
+
+    inject = keyword if keyword is not None else _NO_INJECT
+    return self._value_decorator(None, wait, keyword=inject)
+
+  def wait_for_url(
+    self,
+    pattern: str,
+    *,
+    tab_id: int | None = None,
+    timeout: float = 30.0,
+    keyword: str | None = "tab",
+  ):
+    """Wait until a tab URL matches *pattern* before calling the function."""
+    def wait():
+      return self._c.tabs.watch_url(pattern, tab_id=tab_id, timeout=timeout)  # type: ignore[attr-defined]
+
+    inject = keyword if keyword is not None else _NO_INJECT
+    return self._value_decorator(None, wait, keyword=inject)
+
+  def performance_profile(self, profile: str, *, restore: bool = True):
+    """Temporarily set the extension performance profile around a function."""
+    def decorator(fn: F) -> F:
+      @functools.wraps(fn)
+      def wrapper(*args, **kwargs):
+        previous = None
+        if restore:
+          previous = self._run(self._c.perf.status).get("performanceProfile")  # type: ignore[attr-defined]
+        self._run(self._c.perf.set_profile, profile)  # type: ignore[attr-defined]
+        try:
+          return self._call_wrapped(fn, *args, **kwargs)
+        finally:
+          if previous:
+            self._run(self._c.perf.set_profile, previous)  # type: ignore[attr-defined]
+      return wrapper  # type: ignore[return-value]
+    return decorator
+
+  def save_session_before(self, name: str):
+    """Save the current browser session before running the function."""
+    return self._value_decorator(None, lambda: self._c.session.save(name), keyword=_NO_INJECT)  # type: ignore[attr-defined]
+
+  def retry(
+    self,
+    *,
+    times: int = 3,
+    delay: float = 0.0,
+    exceptions: tuple[type[BaseException], ...] = (Exception,),
+  ):
+    """Retry the wrapped function when it raises one of *exceptions*."""
+    attempts = max(1, times)
+
+    def decorator(fn: F) -> F:
+      @functools.wraps(fn)
+      def wrapper(*args, **kwargs):
+        last_error = None
+        for attempt in range(attempts):
+          try:
+            return self._call_wrapped(fn, *args, **kwargs)
+          except exceptions as exc:
+            last_error = exc
+            if attempt == attempts - 1:
+              raise
+            if delay > 0:
+              self._sleep(delay)
+        raise last_error  # type: ignore[misc]
+      return wrapper  # type: ignore[return-value]
+    return decorator
+

browser_cli/serve/auth.py

@@ -0,0 +1,107 @@
+"""Client validation and authentication for ``browser-cli serve``."""
+from __future__ import annotations
+
+import json
+import re
+from typing import Literal
+
+from browser_cli.compat import adapt_auth
+from browser_cli.serve.logging import log_request
+from browser_cli.version_manager import PROTOCOL_MIN_CLIENT, parse_version
+
+_UA_PATTERN = re.compile(r"^browser-cli/\d")
+AuthDecodeResult = tuple[bytes | None, bool] | tuple[Literal[False], Literal[False]]
+
+class ServeAuthMixin:
+  addr: tuple
+  command: str
+  client_ver: str
+  msg_id: object
+  nonce: str
+  pq_private_key: object | None
+  auth_keys: list[str] | None
+  response_secret: bytes | None
+
+  async def send_error(self, msg: str, msg_id=None) -> None: ...
+
+  async def validate_client(self, msg: dict) -> bool:
+    self.msg_id = msg.get("id")
+    ua = msg.get("user_agent") or ""
+    if not _UA_PATTERN.match(ua):
+      await self.send_error("forbidden: client required")
+      log_request(self.addr, msg.get("command", "?"), None, "DENIED", f"bad user-agent: {ua!r}")
+      return False
+    try:
+      self.client_ver = ua.split("/", 1)[1]
+      if parse_version(self.client_ver) < parse_version(PROTOCOL_MIN_CLIENT):
+        await self.send_error(f"client version {self.client_ver} is too old; please upgrade to >= {PROTOCOL_MIN_CLIENT}")
+        log_request(self.addr, msg.get("command", "?"), None, "DENIED", f"client {self.client_ver} < min {PROTOCOL_MIN_CLIENT}")
+        return False
+    except (IndexError, ValueError):
+      pass
+    return True
+
+  async def authenticate(self, msg: dict) -> dict | None:
+    if self.auth_keys is None:
+      return msg
+
+    pub = msg.get("pubkey") or ""
+    sig = msg.get("sig") or ""
+    if not pub or not sig:
+      await self.send_error("unauthorized: pubkey auth required — run 'browser-cli auth keygen' on the client")
+      log_request(self.addr, self.command, None, "DENIED", "missing pubkey/sig")
+      return None
+    if pub not in self.auth_keys:
+      await self.send_error("unauthorized: untrusted public key")
+      log_request(self.addr, self.command, None, "DENIED", "untrusted key")
+      return None
+
+    pq_shared_secret, transport_encrypted = await self._decode_pq_transport(msg, pub, sig)
+    if pq_shared_secret is False:
+      return None
+
+    from browser_cli.auth import verify
+    if not verify(pub, bytes.fromhex(self.nonce), msg, sig, pq_shared_secret):
+      await self.send_error("unauthorized: invalid signature")
+      log_request(self.addr, self.command, None, "DENIED", "bad signature")
+      return None
+    self.response_secret = pq_shared_secret if transport_encrypted else None
+    return msg
+
+  async def _decode_pq_transport(self, msg: dict, pub: str, sig: str) -> AuthDecodeResult:
+    pq_shared_secret = None
+    transport_encrypted = False
+    if self.pq_private_key is None:
+      return pq_shared_secret, transport_encrypted
+
+    kex = msg.get("pq_kex") or {}
+    pq_required = parse_version(self.client_ver) >= parse_version("0.9.5")
+    if not isinstance(kex, dict) or kex.get("alg") != "ML-KEM-768" or not kex.get("ciphertext"):
+      if pq_required:
+        await self.send_error("unauthorized: post-quantum key exchange required")
+        log_request(self.addr, self.command, None, "DENIED", "missing pq kex")
+        return False, False
+      return pq_shared_secret, transport_encrypted
+
+    try:
+      from browser_cli.auth import pq_decrypt, pq_kex_server_decapsulate
+      pq_shared_secret = pq_kex_server_decapsulate(self.pq_private_key, str(kex["ciphertext"]))
+      if "encrypted" in msg:
+        decrypted_msg = json.loads(pq_decrypt(pq_shared_secret, "request", msg["encrypted"]))
+        if not isinstance(decrypted_msg, dict):
+          raise ValueError("encrypted request is not a JSON object")
+        decrypted_msg.update({"pubkey": pub, "sig": sig, "pq_kex": kex})
+        msg.clear()
+        msg.update(adapt_auth(decrypted_msg, self.client_ver))
+        self.msg_id = msg.get("id", self.msg_id)
+        self.command = msg.get("command", "?")
+        transport_encrypted = True
+      elif pq_required:
+        await self.send_error("unauthorized: post-quantum encrypted transport required")
+        log_request(self.addr, self.command, None, "DENIED", "missing pq transport")
+        return False, False
+    except Exception:
+      await self.send_error("unauthorized: invalid post-quantum encrypted transport")
+      log_request(self.addr, self.command, None, "DENIED", "bad pq transport")
+      return False, False
+    return pq_shared_secret, transport_encrypted

browser_cli/serve/control.py

@@ -0,0 +1,59 @@
+"""Built-in control commands handled directly by ``browser-cli serve``."""
+from __future__ import annotations
+
+import re
+from pathlib import Path
+
+from browser_cli.serve.logging import log_request
+
+class ServeControlMixin:
+  addr: tuple
+  command: str
+  auth_keys_path: Path | None
+
+  async def send_error(self, msg: str, msg_id=None) -> None: ...
+  async def send_ok(self, payload, command: str | None = None) -> None: ...
+
+  async def handle_control_command(self, msg: dict) -> bool:
+    if self.command == "browser-cli.targets":
+      from browser_cli.client import active_browser_targets
+      targets = [
+        {"profile": target.profile, "displayName": target.display_name}
+        for target in active_browser_targets(include_remotes=False)
+      ]
+      await self.send_ok(targets, self.command)
+      log_request(self.addr, self.command, None, "OK")
+      return True
+
+    if self.command == "browser-cli.auth.keys":
+      if self.auth_keys_path is None:
+        await self.send_error("no authorized keys file configured on this server")
+        log_request(self.addr, self.command, None, "ERROR", "no authorized keys file")
+        return True
+      from browser_cli.auth import load_authorized_keys_with_names
+      entries = [{"pubkey": pk, "name": name} for pk, name in load_authorized_keys_with_names(self.auth_keys_path)]
+      await self.send_ok(entries, self.command)
+      log_request(self.addr, self.command, None, "OK")
+      return True
+
+    if self.command == "browser-cli.auth.trust":
+      return await self._handle_trust(msg)
+    return False
+
+  async def _handle_trust(self, msg: dict) -> bool:
+    if self.auth_keys_path is None:
+      await self.send_error("no authorized keys file configured on this server")
+      log_request(self.addr, self.command, None, "ERROR", "no authorized keys file")
+      return True
+    from browser_cli.auth import add_authorized_key
+    args = msg.get("args") or {}
+    pubkey = str(args.get("pubkey") or "")
+    name = str(args.get("name") or "")
+    if not re.fullmatch(r"[0-9a-f]{64}", pubkey):
+      await self.send_error("invalid pubkey: expected 64 lowercase hex characters")
+      log_request(self.addr, self.command, None, "ERROR", "invalid pubkey")
+      return True
+    added = add_authorized_key(self.auth_keys_path, pubkey, name)
+    await self.send_ok({"added": added}, self.command)
+    log_request(self.addr, self.command, None, "OK" if added else "ALREADY_TRUSTED")
+    return True